On Wed, April 25, 2007 7:00 am, Tijnema ! wrote: > On 4/25/07, Satyam <Satyam@xxxxxxxxxxxxx> wrote: >> Sorry I'm late to this thread, I don't know if it has been >> mentioned, but >> most files have a 'magic number' at the begining of the file, which >> usually >> reads as a couple of letters or more. I think EXE files start with >> MZ, gifs >> with GIFxx where xx is the last two digits of the year of the >> standard. >> Just open files of the types you are concerned about and check the >> first few >> characters. >> >> Satyam > > I believe that mime_content_type does this, by reading a .magic file. > In a magic file, there are these described i believe. But how would > you detect (by a magic number) if a script is HTML or PHP? No way :P > Of course, It's both not valid for an image file, but you might be > worried when the first magic bytes are faked. Does somebody care if > there are a few magic bytes displayed at the top of his page? Yes, no, sort of. Once you've checked the "magic numbers" at the start, the potential abuses shrinks DRAMATICALLY. For example, I'm pretty sure that most Operating Systems will refuse to execute a file that starts with 'GIF89a' as if it were a binary executable. That doesn't mean somebody couldn't manage to write an abusive Perl script (or PHP script or Java applet or whatever) that "looks" like a GIF because it starts with "GIF89a" and then that person might still manage to trick your PHP script into putting it somewhere that it will get executed as a script on your server, rather than just displayed as a GIF (looking like "noise" or "abstract art", at best) in a browser. But checking the magic number in some fashion will alter a huge sucking chest wound of a Security hole into a small punctured lung of a Security hole. :-) You should, of course, also take care that the files in question could not possibly get executed, nor passed into any kind of parser like PHP, Perl, Python, Java, JSP, ASP, etc. That would be another barrier to try to erect. Every extra barrier you layer in there will slim down the number of attackers that can get through, usually. "Defense in Depth" it's usually called. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
